It seems that aluminum maker Norsk Hydro wasn’t the only industrial outfit hackers hit with the relatively new but rapidly spreading LockerGoga ransomware virus.
Two weeks ago, unknown cyber kidnappers also aimed the virulent malware at U.S. chemicals companies Hexion and Momentive. Those attacks blocked employees from using their computers. And the costs are piling up -- with at least $40 million in initial damages over at Norsk Hydro, according to reports.
The discoveries of additional victims makes at least four (a French engineering consultancy was reportedly hit in January) implicating LockerGoga as the cyber attackers’ malware of choice. But there are likely many others. Anti-malware specialist Kaspersky told Motherboard that it knows of more instances. And, FireEye told Wired that they’ve been called out on multiple LockerGoga attacks also on industrial and manufacturing targets. The MalwareHunterTeam, which initially named the ransomware, estimates the total victim count to be in the dozens, some of which have already paid six-figure ransoms to have their systems restored.
So, let's see...we have a dangerous ransomware strain hitting industrial and manufacturing targets and nobody says anything about it until now? Because why?
SEC Filing: Hexion Discloses LockerGoga Ransomware
In a March 22, 2019 Securities and Exchange Commission (SEC) 8-K filing, Hexion acknowledged the LockerGoga attack and said that it had “taken steps” to restore its network and resume normal operations. Officials called the extortion episode a “network security incident” that blocked access to “certain systems and data within the company’s network.” In other words, a ransomware attack.
Hexion officials said that it shut down its IT systems, including email, to contain the infection. The company doesn’t believe that any customer, supplier or employee data has been compromised. Hexion didn’t say how much ransom the kidnappers demanded or if it has or plans to pay any of it. Most of the damage apparently affected Hexion’s corporate functions while its manufacturing sites, which use separate networks, were minimally hit by the attack. It’s not known if Hexion has engaged with security providers, especially managed security service providers (MSSPs) to help it handle the attack’s fallout.
Momentive Discloses LockerGoga Ransomware Attack
As for Momentive, the company said it had taken “ immediate action to contain the incident and has implemented its business continuity plan.” External security experts, as in MSSPs, are part of Momentive’s plan to thwart the cyber kidnapping and help with its recovery, officials said.
There are some particularly disturbing aspects to the LockerGoga malware (via Wired):
- LockerGoga shuts down computers, locks out their users and makes it difficult, if not impossible, for victims to pay the ransom.
- The attackers seem to know targets' credentials at the start of an intrusion.
- Before running their encryption code, the hackers use a "task kill" command on target machines to disable their antivirus. The malware subsequently encrypts the computer’s files.
- Victims then get a ransom demand note: "Greetings! There was a significant flaw in the security system of your company...You should be thankful the flaw was exploited by serious people and not by some rookies. They would have damaged all your data by mistake or for fun." (The use of the word “rookies” is particularly interesting.)
- The attackers do not name their price in the note but instead provide email addresses to contact the hackers to negotiate a satisfactory bitcoin amount.
In the most recent version, LockerGoga disconnects the computer's network adapter from the network, changes the user and admin credentials, and logs the machine off. That makes it just a bit difficult for victims to recognize they’re being extorted and certainly to acquiesce to the kidnappers’ demands should they choose that route.